"We want to provide you with an update on this morning’s reports of stolen passwords. We can confirm that some of the passwords that were compromised correspond to LinkedIn accounts. We are continuing to investigate this situation and here is what we are pursuing as far as next steps for the compromised accounts:
- Members that have accounts associated with the compromised passwords will notice that their LinkedIn account password is no longer valid.
- These members will also receive an email from LinkedIn with instructions on how to reset their passwords. There will not be any links in this email. Once you follow this step and request password assistance, then you will receive an email from LinkedIn with a password reset link.
It is worth noting that the affected members who update their passwords and members whose passwords have not been compromised benefit from the enhanced security we just recently put in place, which includes hashing and salting of our current password databases.
- These affected members will receive a second email from our Customer Support team providing a bit more context on this situation and why they are being asked to change their passwords.
We sincerely apologize for the inconvenience this has caused our members. We take the security of our members very seriously. If you haven’t read it already it is worth checking out my earlier blog post today about updating your password and other account security best practices."
While this is some disturbing news, this is more disturbing...
Of the 5.8 million unique password hashes: 3.5 million have already been bruteforced.
Here is where it gets funny. You remember the Conficker worm (Circa 2008)? It used a list of common passwords (found here) to basically brute force (guess) its way into the hidden ADMIN$ share that was found (by default) on all windows machines. (Seems like security issues are abound here lately doesnt it?)
So of those passwords used by Conficker - all but 2 of them were found amongst the LinkedIn Hashed password list. The two? "mypc123" and "ihavenopass"
So that begs the question how long would it take to crack your password?
If your like most individuals on the internet your password will be between 6 - 8 characters, rarely will they contain special characters, some will contain numbers, but not usually. The point there is using Amazon's EC2 service I could bruteforce most passwords in no more than 2 days.
So, anybody have a photobucket account?
Really, LinkedIn didn't salt and hash their passwords to start with? I really hope I read that wrong and it wasn't just a plain text column stored in the database before the "enhanced security" changes.
ReplyDeleteYou can also use rainbow tables to reverse a hashed password although they don't always work, but the chance of them working is greatly increased if it is a common / short / easily guessable password.
So another reason to make your passwords long and complex. I hate it when sites don't allow you to use special characters in your password.
Well the passwords were not stored as a plain text version of the password. They were hashed first, but the problem was the Salts were not unique to each password. In this situation someone can generate rainbow tables as you said - and that is exactly what was done here. It is crazy how fast and easy it is especially utilizing a resource such as Amazon's EC2 cloud with a GPU Cluster. I did this for WPA2 pen testing recently against Uverse's 2Wire routers. I believe that each password was guaranteed to be 10 digits in length and with WPA the encryption is Salted with the SSID of the access point. By first knowing the SSID I was able to generate Rainbow tables. All possible combinations of 10 digits came out to about a 100GB dictionary file - which I then hashed using the SSID as the SALT. Once that list was generated it is child's play to capture some packets from the access point and run a brute force with Rainbow tables. In all the process was about 12 hours.
Delete